Merge tmakinen/puppet

2013-01-09 12:29:11 +02:00 · 2013-01-09 12:29:11 +02:00 · ddef081721
commit ddef081721
parent 8c7114f2a3 3e176d5340
6 changed files with 123 additions and 18 deletions
--- a/apparmor/lib/facter/apparmor.rb
+++ b/apparmor/lib/facter/apparmor.rb
@ -0,0 +1,20 @@
+
+Facter.add("apparmor") do
+    setcode do
+        result = false
+        if File.exists?("/sys/module/apparmor")
+            begin
+                f = File.new("/proc/mounts")
+                while (line = f.gets)
+                    if line.split()[2] == "securityfs"
+                        if File.exists?(File.join(line.split()[1], "apparmor"))
+                            result = true
+                        end
+                    end
+                end
+            rescue
+            end
+        end
+        result
+    end
+end
--- a/dns/manifests/init.pp
+++ b/dns/manifests/init.pp
@ -279,6 +279,11 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [],
        $zone     = "$2/$3"
        $zonefile = "$2-$3"
    } else {
+        case dirname($name) {
+            ".":       { $view = "" }
+            "default": { $view = "" }
+            default:   { $view = dirname($name) }
+        }
        $zone     = basename($name)
        $zonefile = $zone
    }
@ -347,7 +352,7 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [],
                mode   => "0750",
                owner  => "root",
                group  => $dns::server::group,
-                before => File["${dns::server::chroot}${dns::server::confdir}/${view}zone.${zonefile}"],
+                before => File["${dns::server::chroot}${dns::server::confdir}/${view}/zone.${zonefile}"],
            }
        }
    }
@ -363,14 +368,14 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [],
                owner  => "root",
                group  => $dns::server::group,
                before => $role ? {
-                    "master" => File["${dns::server::chroot}${zonedir}db.${zonefile}"],
+                    "master" => File["${dns::server::chroot}${zonedir}/db.${zonefile}"],
                    default  => undef,
                },
            }
        }
    }

-    file { "${dns::server::chroot}${dns::server::confdir}/${view}zone.${zonefile}":
+    file { "${dns::server::chroot}${dns::server::confdir}/${view}/zone.${zonefile}":
        ensure  => present,
        content => template("dns/zone.$role.erb"),
        mode    => "0640",
@ -385,7 +390,7 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [],

    if $role == "master" and $zone != "." {
        if $source != "AUTO" {
-             file { "${dns::server::chroot}${zonedir}db.${zonefile}":
+             file { "${dns::server::chroot}${zonedir}/db.${zonefile}":
                 ensure  => present,
                 source  => $source,
                 mode    => "0640",
--- a/ldap/files/slapd.default
+++ b/ldap/files/slapd.default
@ -0,0 +1,45 @@
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF="/etc/ldap/slapd.conf"
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work).  Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work).  Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab).  To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""
--- a/ldap/manifests/init.pp
+++ b/ldap/manifests/init.pp
@ -340,7 +340,7 @@ class ldap::client::ruby {
 #
 class ldap::server {

-    include ssl
+    require ssl

    if !$ldap_server_key {
        $ldap_server_key = "${puppet_ssldir}/private_keys/${homename}.pem"
@ -356,7 +356,15 @@ class ldap::server {
            $package_name = "slapd"
            $service_name = "slapd"
            $config = "/etc/ldap"
-            $modulepath = "/usr/lib/openldap"
+            $modulepath = "/usr/lib/ldap"
+            $rundir = "/var/run/slapd"
+            exec { "usermod-openldap":
+                path    => "/bin:/usr/bin:/sbin:/usr/sbin",
+                command => "usermod -a -G ssl-cert openldap",
+                unless  => "id -n -G openldap | grep '\\bssl-cert\\b'",
+                require => Package["openldap-server"],
+                before  => Service["slapd"],
+            }
        }
        "fedora": {
            $user = "ldap"
@ -368,6 +376,7 @@ class ldap::server {
                "x86_64" => "/usr/lib64/openldap",
                default  => "/usr/lib/openldap",
            }
+            $rundir = "/var/run/openldap"
        }
        "centos","redhat": {
            $user = "ldap"
@ -385,6 +394,7 @@ class ldap::server {
                "x86_64" => "/usr/lib64/openldap",
                default  => "/usr/lib/openldap",
            }
+            $rundir = "/var/run/openldap"
        }
        "openbsd": {
            $user = "_openldap"
@ -393,6 +403,7 @@ class ldap::server {
            $service_name = "slapd"
            $config = "/etc/openldap"
            $modulepath = ""
+            $rundir = "/var/run/openldap"
        }
    }

@ -446,15 +457,29 @@ class ldap::server {
        notify  => Exec["generate-slapd-database-config"],
    }

-    if $::operatingsystem in ["CentOS","RedHat"] and $operatinsystemrelease !~ /^5\./ {
-        file { "/etc/sysconfig/ldap":
-            ensure  => present,
-            source  => "puppet:///modules/ldap/ldap.sysconfig",
-            mode    => "0644",
-            owner   => "root",
-            group   => "root",
-            notify  => Service["slapd"],
-            require => Package["openldap-server"],
+    case $::operatingsystem {
+        "centos","redhat": {
+            if $::operatinsystemrelease !~ /^5\./ {
+                file { "/etc/sysconfig/ldap":
+                    ensure  => present,
+                    source  => "puppet:///modules/ldap/ldap.sysconfig",
+                    mode    => "0644",
+                    owner   => "root",
+                    group   => "root",
+                    notify  => Service["slapd"],
+                    require => Package["openldap-server"],
+                }
+            }
+        }
+        "debian","ubuntu": {
+            file { "/etc/default/slapd":
+                source  => "puppet:///modules/ldap/slapd.default",
+                mode    => "0644",
+                owner   => "root",
+                group   => "root",
+                notify  => Service["slapd"],
+                require => Package["openldap-server"],
+            }
        }
    }

--- a/ldap/templates/slapd.conf.erb
+++ b/ldap/templates/slapd.conf.erb
@ -19,14 +19,18 @@ security simple_bind=128
 sizelimit size.soft=500
 sizelimit size.hard=none

-pidfile		/var/run/openldap/slapd.pid
-argsfile	/var/run/openldap/slapd.args
+pidfile		<%= scope.lookupvar('ldap::server::rundir') %>/slapd.pid
+argsfile	<%= scope.lookupvar('ldap::server::rundir') %>/slapd.args

 # overlay modules to load
 <% if scope.lookupvar('ldap::server::modulepath') != '' -%>
 modulepath <%= modulepath %>
 moduleload ppolicy.la
 moduleload syncprov.la
+<%   if ['Ubuntu','Debian'].index(operatingsystem) -%>
+moduleload back_hdb.la
+moduleload back_monitor.la
+<%   end -%>
 <%   if has_variable?('ldap_server_modules') -%>
 <%     ldap_server_modules.each do |name| -%>
 moduleload <%= name %>.la
--- a/ssl/manifests/init.pp
+++ b/ssl/manifests/init.pp
@ -12,9 +12,15 @@ class ssl {
            $certs = "/etc/ssl"
            $private = "/etc/ssl/private"
        }
-        default: {
+        "debian","ubuntu": {
            $certs = "/etc/ssl/certs"
            $private = "/etc/ssl/private"
+            package { "ssl-cert":
+                ensure => installed,
+            }
+        }
+        default: {
+            fail("Class ssl not supported on ${::operatingsystem}")
        }
    }